Quantcast

disable SSLv3

classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

disable SSLv3

lluis
Hello,
I am trying to disable SSLv3 to prevent POODLE attack on adito, which
uses wrapper. I've tried to add this
to /usr/local/src/adito-0.9.1/conf/wrapper.conf:

wrapper.java.additional.1=-Dhttps.protocols="TLSv1"

and in fact is added to the java command:

/usr/lib/jvm/java-1.6.0-openjdk-1.6.0.0.x86_64/jre/bin/java
-Dhttps.protocols="TLSv1" -Xms64m -Xmx512m
-Djava.library.path=install/platforms/linux/x86 -classpath
build/boot:lib/adito-boot.jar -Dwrapper.key=iegai2ohDeiThaeK
-Dwrapper.port=32000 -Dwrapper.use_system_time=TRUE
-Dwrapper.version=3.1.2 -Dwrapper.native_library=wrapper
-Dwrapper.service=TRUE -Dwrapper.cpu.timeout=10 -Dwrapper.jvmid=1
com.adito.boot.Bootstrap

but it is still responding to SSLv3 requests:

# openssl s_client -connect localhost:443 -ssl3
CONNECTED(00000003)
(...)
verify error:num=18:self signed certificate


* some system info:

CentOS 5.8 (2.6.18-308.8.2.el5)
openssl-0.9.8e-31.el5_11
adito-0.9.1
Java(TM) SE Runtime Environment (build 1.6.0_14-b08)
Wrapper (Version 3.2.3)

any hints to disable SSLv3?


--

Lluís Gili
Ingent Grup Systems ~ http://www.ingent.net ~
Tel. 933935931


------------------------------------------------------------------------------
Dive into the World of Parallel Programming! The Go Parallel Website,
sponsored by Intel and developed in partnership with Slashdot Media, is your
hub for all things parallel software development, from weekly thought
leadership blogs to news, videos, case studies, tutorials and more. Take a
look and join the conversation now. http://goparallel.sourceforge.net
_______________________________________________
Wrapper-user mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/wrapper-user
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: disable SSLv3

Dannes Wessels-2
Hi,

> On 30 Dec 2014, at 14:57 , lluis <[hidden email]> wrote:
>
> I am trying to disable SSLv3 to prevent POODLE attack on adito, which
> uses wrapper. I've tried to add this
> to /usr/local/src/adito-0.9.1/conf/wrapper.conf:
>
> wrapper.java.additional.1=-Dhttps.protocols="TLSv1"
>
> and in fact is added to the java command:
>
> /usr/lib/jvm/java-1.6.0-openjdk-1.6.0.0.x86_64/jre/bin/java

the instructions you use are for the OracleVM ; I have my doubts whether it can be used for the OpenJDK6 VM (very old and incompatible with too much code).

The work around is... install the OracleVM ?

regards

Dannes


------------------------------------------------------------------------------
Dive into the World of Parallel Programming! The Go Parallel Website,
sponsored by Intel and developed in partnership with Slashdot Media, is your
hub for all things parallel software development, from weekly thought
leadership blogs to news, videos, case studies, tutorials and more. Take a
look and join the conversation now. http://goparallel.sourceforge.net
_______________________________________________
Wrapper-user mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/wrapper-user
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: disable SSLv3

lluis
Hello,
I've tried installing Oracle JDK 7, with same results

# java -version
java version "1.7.0_71"
Java(TM) SE Runtime Environment (build 1.7.0_71-b14)
Java HotSpot(TM) 64-Bit Server VM (build 24.71-b01, mixed mode)

now the wrapper command looks like this:

/usr/java/jdk1.7.0_71/bin/java -Dhttps.protocols="TLSv1"
-Dsun.security.ssl.allowUnsafeRenegotiation=false (...)

(I've also added allowUnsafeRenegotiation=false)
some more hints?

thanks,
Lluís


El dt 30 de 12 de 2014 a les 20:01 +0100, en/na Dannes Wessels va
escriure:

> Hi,
>
> > On 30 Dec 2014, at 14:57 , lluis <[hidden email]> wrote:
> >
> > I am trying to disable SSLv3 to prevent POODLE attack on adito, which
> > uses wrapper. I've tried to add this
> > to /usr/local/src/adito-0.9.1/conf/wrapper.conf:
> >
> > wrapper.java.additional.1=-Dhttps.protocols="TLSv1"
> >
> > and in fact is added to the java command:
> >
> > /usr/lib/jvm/java-1.6.0-openjdk-1.6.0.0.x86_64/jre/bin/java
>
> the instructions you use are for the OracleVM ; I have my doubts whether it can be used for the OpenJDK6 VM (very old and incompatible with too much code).
>
> The work around is... install the OracleVM ?
>
> regards
>
> Dannes
>

--

Lluís Gili
Ingent Grup Systems ~ http://www.ingent.net ~
Tel. 933935931


------------------------------------------------------------------------------
Dive into the World of Parallel Programming! The Go Parallel Website,
sponsored by Intel and developed in partnership with Slashdot Media, is your
hub for all things parallel software development, from weekly thought
leadership blogs to news, videos, case studies, tutorials and more. Take a
look and join the conversation now. http://goparallel.sourceforge.net
_______________________________________________
Wrapper-user mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/wrapper-user
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: disable SSLv3

Dannes Wessels-2
Hi,


On 31 Dec 2014, at 9:35 , lluis <[hidden email]> wrote:

some more hints?

sorry, though your way of checking might not be ok, I would not know….. what you should check is what happens if you don;t use the wrapper to start the same application with the same parameters. Also could verify with jconsole if the commandline parameters are actually send into the JVM.

anyway I don’t think this mailinglist is the correct place to ask a JVM specific question. It is better to scan http://stackoverflow.com for the same question, or post it there if it is not being asked before.

cheers

Dannes


------------------------------------------------------------------------------
Dive into the World of Parallel Programming! The Go Parallel Website,
sponsored by Intel and developed in partnership with Slashdot Media, is your
hub for all things parallel software development, from weekly thought
leadership blogs to news, videos, case studies, tutorials and more. Take a
look and join the conversation now. http://goparallel.sourceforge.net
_______________________________________________
Wrapper-user mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/wrapper-user
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: disable SSLv3

Dannes Wessels-2
please check wrapper.java.additional.1=-Dhttps.protocols=TLSv1 as well (without the double quotes around the value)

cheers



Dannes


> On 31 Dec 2014, at 11:31 , Dannes Wessels <[hidden email]> wrote:
>
>> On 31 Dec 2014, at 9:35 , lluis <[hidden email]> wrote:
>>
>> some more hints?
>
> sorry, though your way of checking might not be ok, I would not know….. what you should check is what happens if you don;t use the wrapper to start the same application with the same parameters. Also could verify with jconsole if the commandline parameters are actually send into the JVM.
>
> anyway I don’t think this mailinglist is the correct place to ask a JVM specific question. It is better to scan http://stackoverflow.com for the same question, or post it there if it is not being asked before.


------------------------------------------------------------------------------
Dive into the World of Parallel Programming! The Go Parallel Website,
sponsored by Intel and developed in partnership with Slashdot Media, is your
hub for all things parallel software development, from weekly thought
leadership blogs to news, videos, case studies, tutorials and more. Take a
look and join the conversation now. http://goparallel.sourceforge.net
_______________________________________________
Wrapper-user mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/wrapper-user
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: disable SSLv3

lluis
In reply to this post by Dannes Wessels-2
Hi,
checked without wrapper and it still ignores https.protocols so it seems
not related to wrapper
maybe adito modifies these settings on runtime

thanks for your help Dannes!
Lluís

El dc 31 de 12 de 2014 a les 11:31 +0100, en/na Dannes Wessels va
escriure:

> Hi,
>
>
> > On 31 Dec 2014, at 9:35 , lluis <[hidden email]> wrote:
> >
> > some more hints?
>
>
> sorry, though your way of checking might not be ok, I would not
> know….. what you should check is what happens if you don;t use the
> wrapper to start the same application with the same parameters. Also
> could verify with jconsole if the commandline parameters are actually
> send into the JVM.
>
>
> anyway I don’t think this mailinglist is the correct place to ask a
> JVM specific question. It is better to
> scan http://stackoverflow.com for the same question, or post it there
> if it is not being asked before.
>
>
> cheers
>
>
> Dannes
>
>

--

Lluís Gili
Ingent Grup Systems ~ http://www.ingent.net ~
Tel. 933935931


------------------------------------------------------------------------------
Dive into the World of Parallel Programming! The Go Parallel Website,
sponsored by Intel and developed in partnership with Slashdot Media, is your
hub for all things parallel software development, from weekly thought
leadership blogs to news, videos, case studies, tutorials and more. Take a
look and join the conversation now. http://goparallel.sourceforge.net
_______________________________________________
Wrapper-user mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/wrapper-user
Loading...